Issue 2550711: Reflected cross-site scripting in 'action' parameter. - Roundup tracker

classification

Title:	Reflected cross-site scripting in 'action' parameter.
Type:	security	Severity:	minor
Components:	Web interface	Versions:	1.4

process

Status:	closed	Resolution:	fixed
Dependencies		Superseder:
Assigned To:	schlatterbeck	Nosy List:	om, schlatterbeck
Priority:		Keywords:

Created on 2011-07-05 11:47 by om, last changed 2012-01-05 15:25 by schlatterbeck.

Messages
msg4325	Author: [hidden] (om)	Date: 2011-07-05 11:47
The content of action_name is not encoded before displaying an error message. Example: /support/issue1?@action="><script>alert(1)</script> The issue is in the following line from cgi/client.py: raise ValueError('No such action "%s"'%action_name)
msg4468	Author: [hidden] (schlatterbeck)	Date: 2012-01-05 15:25
Fixed in Git c29ac93 thanks for reporting!

History
Date	User	Action	Args
2012-01-05 15:25:13	schlatterbeck	set	status: new -> closed assignee: schlatterbeck resolution: fixed messages: + msg4468 nosy: + schlatterbeck
2011-07-05 11:47:11	om	create